Permission denied error invoking Docker on Mac host from inside Docker Ubuntu container as non-root user

前端 未结 3 1761

I\'m trying to invoke docker on my OSX host running Docker for Mac 17.06.0-ce-mac17 from inside a running jenkins docker container (jenkins:latest), per the procedure described

3条回答
  •  你的背包
    2021-02-15 17:33

    I got this working, at least automated but currently only working on docker for Mac. Docker for Mac has a unique file permission model. Chowning /var/run/docker.sock to the jenkins user manually works, and it persists across container restarts and even image regeneration, but not past docker daemon restarts. Plus, you can't do the chown in the Dockerfile because docker.sock doesn't exist yet, and you can't do it in the entrypoint because that runs as jenkins.

    So what I did was add jenkins to the "staff" group, because on my Mac, /var/run/docker.sock is symlinked down into /Users//Library/Containers/com.docker.docker/Data/‌​s60 and is uid and gid staff. This lets the jenkins user run docker commands on the host.

    Dockerfile:

    FROM jenkins:latest
    
    USER root
    
    RUN \
        apt-get update && \
        apt-get install -y build-essential && \
        apt-get clean && \
        rm -rf /var/lib/apt/lists/*
    
    COPY docker /usr/bin/docker
    
    # To allow us to access /var/run/docker.sock on the Mac
    RUN gpasswd -a jenkins staff
    
    USER jenkins
    
    ENTRYPOINT ["/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
    

    docker-compose.yml file:

    version: "3"
    services:
      jenkins:
        build: ./cd_jenkins
        image: cd_jenkins:latest
        ports:
          - "8080:8080"
          - "5000:5000"
        volumes:
          - ./jenkins_home:/var/jenkins_home
          - /var/run/docker.sock:/var/run/docker.sock
    

    This is, however, not portable to other systems (and depends on that docker for mac group staying "staff," which I imagine isn't guaranteed). I'd love suggested improvements to make this solution work across host systems. Other options suggested in questions like Execute docker host command inside jenkins docker container include:

    • Install sudo and let jenkins sudo and run all docker commands with sudo: adds security issues
    • "Add jenkins to the docker group" - UNIX only and probably relies on matching up gids from host to container right?
    • Setuid'ing the included docker executable might work, but has the same security elevation issues as sudo.

提交回复
热议问题